Tue 02 Aug 2005 à 10:28:29AM -0700, Devon Heron a écrit : > The problem with IOS using the OpenCA OCSPd server is probably due > to a bug that's fixed in the interim IOS image 12.4(1.4). The > generally available image with this fix would be 12.4(2) . The > Cisco bug id is CSCge44783, and was caused by IOS expecting 3 HTTP > headers in the OCSP query while OpenCA only issued 2 Headers... I > tweaked my versionof OCSPd to add a 3rd http header.
I do not seem to be able to fix my issue, with an image c7200-ik9o3s-mz.124-3.bin. On the ocspd side, I have patched src/server.c of OpenCA-OCSPD-1.0.3 with 393d392 < "Content-Transfer-Encoding: Binary\r\n" Logs I am getting on the IOS side: Aug 8 17:54:40: CRYPTO_PKI: Found a issuer match Aug 8 17:54:40: CRYPTO_PKI: http connection opened Aug 8 17:54:40: CRYPTO_PKI: OCSP response status - successful. Aug 8 17:54:40: E ../crypto/ca/provider/revoke/ocsp/ocsputil.c(328) : Error #708h Aug 8 17:54:40: CRYPTO_PKI: failed to verify OCSP response - 1800 Aug 8 17:54:40: CRYPTO_PKI: Certificate not validated Aug 8 17:54:40: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from XXX.XXX.XXX.XXX is bad: certificate invalid Guillaume -- Guillaume Tamboise "First they ignore you, then they laugh at you, then they fight you, then you win." -- Gandhi ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
